Important Sarbanes-Oxley Act Mandates and What They Mean for Supply Chain Management

More and more, enterprises are realizing the importance of adopting a holistic approach to their businesses from top down, and are beginning to harness an emerging strategic software category—governance, risk management, and compliance (GRC). To this end, their attention so far has been greatly focused on ensuring compliance with the US Sarbanes-Oxley Act (SOX). Chief financial officers (CFOs) and chief executive officers (CEOs) of publicly traded companies are now very much aware of the impact SOX has on their firms, as failure to comply with the law's strict standards and policies, even unknowingly, can essentially end the career of any executive, and often in a disgraceful manner. For a discussion on the relationship of SOX to other regulatory laws, see Thou Shalt Comply (and More, or Else).

Although the law included a number of new mandates, two sections have had clear implications for corporate information systems, while some are especially relevant to supply chain management (SCM). Namely, Section 404 (management assessment of internal controls) requires management to assess the effectiveness of its own internal controls and procedures for financial reporting each year. Section 409 (real time disclosure) requires companies to disclose material changes in their financial conditions or operations on a rapid and current basis. Section 404, which requires audit of internal controls, has made executives reexamine and sometimes replace operational systems that are not well integrated with their financial systems.

Section 401a (off-balance-sheet obligations disclosure) is an addition to the Securities Act of 1934. Section 401a requires disclosure of "material off-balance-sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer [that is, the company itself, an issuer of securities] with other entities or persons" if these arrangements may have a current or future material effect on the firm's financial condition, operations, and so on.

This particularly affects service contracts, such as those typically written with ocean carriers and vendor managed inventory (VMI) arrangements undertaken to hedge risk and move assets off the balance sheet. Increasingly, businesses that adopt VMI practices to reduce current inventory assets may include some form of penalty clause in their contracts for failure to use materials or early cancellation of agreements, and Section 401a clearly requires time-phased listings of these potential obligations. Also, market conditions might change and cause firms to cancel long-term purchase agreements with suppliers, with cancellation penalties or restocking charges as a result. SOX requires enterprises to outline the precise details of these potential charges and penalties. Along similar lines, companies must report and document any early termination or cancellation fees in any lease agreements or letters of intent (which are sometimes used to aid with delivery schedules and manufacturing lead times for critical items).

While Section 401a has limited applicability to some supply chain contracts, Section 404 is broadly relevant to many SCM processes, including outsourcing arrangements. Outsourcing of processes and transactions comes under both Sections 401 and 404, whereby off-balance-sheet agreements with suppliers need to be reported (401) and subjected to effective internal controls (404). SOX is more demanding in this regard than traditional auditing standards. For instance, Section 404 directs the US Securities and Exchange Commission (SEC) to prescribe rules that require annual reports to include an internal control report. This internal control report must contain two elements: 1) it must state management's responsibility for establishing and maintaining controls (including policies, procedures, and processes) for financial reporting, and 2) it must contain an assessment of the effectiveness of these controls and procedures.

If the supply chain is to be truly controlled to the level required by SOX, then there must be a well-structured process that runs across multiple functions, and not merely a series of transactions pretending to be a process. CEOs will thus look to all leaders corporate-wide, including the SCM managers, to take a proactive and collaborative role in corporate governance, since everyone has to realize that passing audits is only one step to the improvement of corporate governance, and that auditors will never understand areas of the supply chain the same way SCM professionals do (and vice versa).

Firms that move aggressively in the direction mandated by Section 404 might even have a chance to improve the management of their supply chains (that is, achieve supply chain excellence), and to gain a competitive advantage on their rivals. This is particularly true given that other disclosure requirements (those instituted in the European Union [EU], for instance) can also support a more efficient and credible, competitive environment for businesses and their supply chains.

Control requires visibility across the process (from ordering components to delivering finished goods and services to customers), and information technology (IT) may be a necessary aid to achieving this total visibility. Yet IT alone is not sufficient to constitute SOX-level control. Meaning, the mere tracking of inventory cannot substitute for efficiency and effectiveness in all SCM activities. For example, with regards to inventory management and inventory write-offs, most enterprises still have the responsibility of controlling inventory and fixed assets. However, SOX implications would now instill the requirement that inventory values are correctly stated, whereby CFOs can no longer "defer" inventory write-downs to avoid write-off losses on quarterly income statements. In other words, SOX demands more accurate and timely accounting to ensure that the material is physically present, its condition is correctly stated, and inventory values are accurately recorded within the accounting system.

As for material transfers and poor inventory accuracy, most enterprises still have the responsibility for material control activities. In the past and all too often, material transfers and inventory transactions would not be processed in a timely manner, thereby creating a true inventory that is "out of kilter" with the expected-on-records situation. SOX, however, states that all movements of inventory or fixed assets must now be recorded in a timely fashion. In other words, all movements will have a definitive financial impact on the company, and the recording of accurate financial information is the foundation of SOX.

Further, an accounts payable (AP) system that does not systematically match purchase orders (POs) and receipts to vendor invoices prior to payment might be vulnerable to fraud, or even to a situation where someone creates fictitious employees or suppliers to then "pay" them, and pocket the money himself or herself. Traditionally, SCM departments within enterprises (for example, engineering departments) have accommodated "internal customers" to "sanitize" so-called "after the fact purchase order" commitments. Under SOX regulations, however, if policies and procedures specifically outline requisitioning and procurement authorities, and if these clearly state that SCM departments are not authorized to issue confirming commitments, then such actions by SCM departments would be an apparent SOX violation. The "charge" would be failure to adhere to internal controls with regards to commitment of company funds and in accordance with company policies and procedures.

All this accentuates the importance of instituting the so-called segregation-of-duties (SOD) for possible conflict-of-interest practices in the procure-to-pay processes, which include receiving, order placement, invoice processing, and establishing vendor (supplier) master data and setups. Section 404 is all about ensuring that companies have adequate approval processes and procedures in place to preempt fraud or theft, as well as making sure what controls and testing are performed to guarantee that these safeguards are working.

Other examples of good SOD practices are to not allow an engineering manager to both select and pay suppliers, because some of these suppliers could, for instance, be family members or best buddies of the manager. Software developers should not perform quality testing on their own applications. Also, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that has not yet been earned. Many enterprises now also use numerous contemporary tools, such as procurement cards, e-procurement applications, and blanket order releases, to either assist or monitor execution of company expenditures. The aim of SOX is to ensure that businesses institute adequate controls to monitor expenditures and commitments to make certain that company assets are safeguarded and policies are complied with.

Documenting Activities Affected

SOX has also had an effect on the obligation of public companies to document their activities. Since changes in their activities could affect companies' bottom lines, companies must provide all relevant information about any changes to their shareholders within ninety-six hours (see Claudia Delto's 2005 article Checking It Twice -- Basel II, Sarbanes-Oxley Act, International Financial Reporting Standards). Therefore, the timeliness requirement of Section 409 seems to call for a much more transparent and integrated financial reporting system than many companies have today. For example, companies that are accustomed to working on a ten-day financial closing period would seem to be at risk for noncompliance with the real time disclosure requirement, which is currently interpreted as demanding disclosure of material events within four business days.

Logically, when key or critical supplies or services are late, they inevitably have an impact on a company's revenue. And if late deliveries result in a material financial impact, this must be reported in a timely fashion. Also, given the trend towards more outsourcing, companies are held responsible for good business decisions and for execution of agreements and supplier relationships. Section 409 is to make sure that in case of supply disruption, there is a process in place to report the financial impact of the disruption on a timely basis, if of material nature.

An SAS 70 Type II Report may also need to be included within the outsourcing proposal request. For those not familiar with the report, SAS 70 is an auditing standard designed by the American Institute of Certified Public Accountants (AICPA) to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The service auditor's report contains the auditor's opinion, a description of the controls placed in operation, and a description of the auditor's tests of operating effectiveness (if the report is a Type II).

The audit report can be shared with the service organization's customers (user organizations) and their respective auditors. The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and their respective auditors. In other words, the report allows each outsource provider to have a single assessment account, and precludes the need for them to have each client review their processes on an individual basis. It is a mechanism for outsource providers to demonstrate the sufficiency of their controls design and to verify that their controls are operating effectively.

The problem of SOX reporting is particularly acute for firms with multiple operating units and decentralized systems. This is because in recent years, many enterprises have grown both organically and through acquisitions, and thus, accurately reporting on these business units requires a significant number of "manual" accounting processes and adjustments. Such companies will either need to adopt a common financial reporting system, perhaps integrate multiple systems with a financial reporting layer at the corporate level, or implement a performance management solution to provide near real-time analytics (see Financial Reporting, Planning, and Budgeting As Necessary Pieces of EPM).

Also, while the first few years since SOX enactment have been devoted mostly to financial issues, in 2007 and beyond, the law's mandates will likely delve deeper into organizational structures and significantly touch SCM, human resources (HR), and IT departments. Even now, SOX requires disclosure of risks and strategies that will go into effect after such disruptive events as hurricanes, accidents, and threats or actual instances of terror, to mitigate their effects.

The Challenge of SOX Compliance

Of all the laws and regulations, SOX presents some of the greatest technical challenges for businesses, since the additional requirements of the law increase the amount of required manual processing. This, in turn, significantly increases the cost of compliance. The ongoing cost of testing manual financial controls to comply with SOX requirements, as well as the ongoing compliance risks associated with those controls, is forcing companies to move towards financial management and accounting systems that not only record transactions, but that also manage the entire SOX 404 compliance process.

The early adopters of SOX compliance have reportedly learned some hard lessons. SOX programs have highlighted manual, paper-based processes as being very costly to audit compared to automated processes. It is quite time-consuming to reconcile and correct errors in manual processes. They run a higher risk for human error and (possibly vile) omissions, have high ongoing audit costs (as compliance in one location does not necessarily imply compliance in another location), and require detective controls to search and identify errors after they have occurred. Yet, if a company is found to have disregarded or violated its reporting duties, its chief information officer (CIO) could also be convicted (see Checking It Twice). Even privately held companies that are not legally bound to comply can be indirectly impacted by SOX. Examples of such companies are customers that manufacture or supply goods to large public organizations, such as auto companies; these organizations often require their suppliers to be SOX-compliant.

The logical question is—how is any organization with limited resources (particularly a smaller one) supposed to cope with all of this? Even more important, how do such organizations stay abreast of the additional changes that are certain to be on the way? One sensible answer to these questions is IT, since many software tools have been developed that can greatly simplify the process. It all comes down to managing and monitoring an organization's internal processes. These preventive, detective, or mitigating compliance controls ideally span users, roles, and processes, which all require access and authorization evaluation, testing, and remediation.

For instance, some of these solutions compare a company's current controls to compliance "best practices," and offer solutions on how to shore up weaknesses and better segregate duties. In other words, the software governs who has clearance to perform such tasks as writing a check to a vendor, paying an employee, or adding revenue in a given quarter. This software might not only set up who can do what, but it would also enforce the rules (that is, alert the compliance watchdogs should an unauthorized person attempt to "monkey" with anything, and thus prevent fraud before it occurs). Other software may help managers to document policies and procedures, creating electronic archives of those policies along the way, while several packages could flag internal transactions that look suspicious.

As a result, users should be able to achieve optimal control of SOD issues, and a system to identify control gaps and remediate risks. Generally, such tools like the recently launched Compliance Control Manager (CCM) by Lawson, Internal Controls Manager by Oracle, Enterprise Internal Controls Enforcer by PeopleSoft, Event Manager by Exact, or CODA-Control suite, to name only some, might provide reasonably cost-efficient solutions, allowing business managers to focus their time more on operational improvements, and less on compliance issues. Further, these systems might allow user enterprises to streamline the integration of new divisions into their financial systems and processes, thereby ensuring that the business processes of the acquired units are SOX 404-compliant. For more information, see Joining the Sarbanes-Oxley Bandwagon; Meeting the Needs of Small and Medium Businesses and Using Business Intelligence Infrastructure to Ensure Compliancy with the Sarbanes-Oxley Act.

To many vendors, it makes perfect sense to launch compliance modules as packaged offerings for products and architectures that have only limited data, process, reporting, and other delivery change capability, especially from a sales or marketing department's financially sound perspective. Other vendors, such as Agresso, have quite a different approach. The company contends that it has no need to create special compliance modules and to market them as brand new products, owing to the vendor's inherent, reconfigurable, "Lego-brick" style architecture, and the virtually infinite couplings of data, processes, and so on, regardless of changing regulatory needs.

SOX may be just the beginning of a wave of financial regulations, guidelines, and laws that enterprises must comply with, either directly or indirectly. With this in mind, businesses must make certain that their enterprise resource planning (ERP) and financial management systems provide an adequate set of financials and analytics capabilities to meet the requirements.

Part Two of the series Thou Shalt Comply (and More), or Else: Looking at Sarbanes-Oxley